As computing devices become increasingly complex, viruses and malware also are becoming increasingly complex and difficult to detect and prevent. While the prior art includes many approaches for scanning non-volatile storage such as a hard disk drive for such threats, the prior art includes few satisfactory solutions for detecting malicious code loaded into memory or the processor itself. The prior art also is lacking in the ability to detect malicious instructions before they are executed, particularly in situations where the malicious instructions are “new” and not part of a well-known virus or malware.
FIG. 1 depicts an exemplary prior art computing device 100 comprising processor 110, memory 120, and storage device 130. In this example, memory 120 is volatile and can comprise DRAM, SRAM, SDRAM, or other known memory devices, and storage device 130 is non-volatile and can comprise a hard disk drive, solid state drive, flash memory, or other known storage devices. One of ordinary skill in the art will understand that processor 110 can include a single processor core or multiple processor cores as well as numerous cache memories, as is known in the prior art.
In FIG. 2, data is stored on storage device 130. There are numerous mechanisms to store data on storage device 130, and two known mechanisms are shown for illustration purposes. In one mechanism, data is stored as blocks 220 and can be accessed by logical block address (LBA) or similar addressing scheme. In another mechanism, data is stored as files 230 and can be accessed using a file system. In the prior art, scanning module 210 can be executed by processor 110 and can scan either blocks 220 or files 230 to look for malicious code. This often is referred to as virus scan software and is well-suited for identifying and nullifying known malicious programs that are stored in non-volatile devices such as in storage device 130.
While prior art techniques are well-suited for detecting known malicious programs in non-volatile devices, there is no satisfactory technique for detecting malicious instructions in processor 110 or memory 120 when the malicious instructions are not also stored in storage device 130. There also is no satisfactory technique for detecting unknown malicious instructions (e.g., newly introduced viruses) whether stored in storage device 130 or not.
What is needed is a mechanism for detecting malicious instructions in processor 110 and memory 120 and preventing their execution. What is further needed is a mechanism for preventing the execution of unknown malicious instructions, whether stored on storage device 130 or not.
Another aspect of the prior art is shown in FIG. 5. Processor 110 runs operating system 310. Operating system 310 comprises scheduler 510. Operating system 310 is capable of operating multiple threads at once (such as threads 520, 530, and 540), where each thread is a set of code that forms a process or related processes. Scheduler 510 determines which threads to run and it follows various algorithms to determine when to start and stop a particular thread. The prior art lacks a technique for identifying a malicious thread and terminating the execution of such thread.
Therefore, what is further needed is a mechanism for preventing the execution of malicious instructions within a thread in an operating system.